Malicious npm package published by user shetty123 as part of a Telegram account hijacking framework targeting Indian Telegram users. All 502 published versions (1.0.1 through 1.3.207) are malicious. Pairs with ams-ssk, which provides the operator's server-side AMS/CMS infrastructure.
common-tg-service performs full Telegram account takeover at runtime when the service is initialized (no install-time hooks, which lets it bypass scanners that gate on preinstall/postinstall lifecycle scripts). Behavior includes: implanting a hardcoded 2FA password (Ajtdmwajt1@) and recovery email on hijacked accounts; polling an operator-controlled Gmail inbox over IMAP (imap.gmail.com) to auto-submit 2FA confirmation codes; revoking all device authorizations except the attacker's session; harvesting OTP codes by monitoring Telegram chat 777000 and forwarding them to the operator; running SRP ownership checks against managed accounts and flagging rotated 2FA as unrecoverable; and fetching remote JSON configuration from npoint.io so operators can change behavior without re-publishing.
Blocked outbound requests are laundered through a relay at helper-thge.onrender.com. Stolen accounts and updates are exfiltrated to attacker-controlled Telegram channels (-1001801844217 and -1001972065816). Operator infrastructure includes paidgirl.site, cms.paidgirl.site, report-upi.netlify.app, and promoteClients2.glitch.me.
-= Per source details. Do not edit below this line.=-
This package wires a global NestJS AuthGuard (registered via APPGUARD in AppModule) that grants authenticated access to any deployed consumer service under several attacker-controlled conditions: (1) any HTTP request carrying header or query parameter apiKey=santoor (case-insensitive) is treated as authenticated — see dist/guards/auth.guard.js line 80; (2) requests originating from a hardcoded list of five public IPs (31.97.59.2, 148.230.84.50, 13.228.225.19, 18.142.128.26, 54.254.162.138) are unconditionally allowed — dist/guards/auth.guard.js lines 14–20; (3) requests with an Origin header matching author-owned web properties (paidgirl.site, zomcall.netlify.app, tgchats.netlify.app, tg-chats.netlify.app, report-upi.netlify.app) are accepted — dist/guards/auth.guard.js lines 21–27; and (4) a long IGNOREPATHS list bypasses auth entirely on destructive routes (/exit, /sendtoall, /sendmessage, /sendtochannel, /joinchannel, /leavechannel, /executehs, /executehsl, etc.). AppController exposes POST /execute-request (dist/app.controller.js lines 80–105), which proxies arbitrary HTTP requests server-side — combined with the master key this turns every consumer deployment into an open SSRF/relay reachable by anyone who reads the public tarball. CloudinaryService.downloadAndExtractZip fetches https://cms.paidgirl.site/folders/${folderName}/files/download-all and runs AdmZip.extractAllTo(process.cwd(), true) on the result with no integrity check (dist/cloudinary.js lines 69, 84) — the author can overwrite arbitrary files (including dist/index.js, package.json) in the deployed app's working directory and achieve code execution on the next start. generateTGConfig defaults SOCKS5 proxy fetch and IP-management to https://cms.paidgirl.site/ip-management with x-api-key santoor (dist/components/Telegram/utils/generateTGConfig.js line 97), routing the installer's Telegram MTProto sessions through author-selected proxies. fetchWithTimeout silently re-POSTs any 403/495 request — including its original headers and body — to https://helper-thge.onrender.com/execute-request (dist/utils/fetchWithTimeout.js lines 80–85), exfiltrating auth tokens and request payloads to an author-operated relay. On bootstrap, InitModule.onModuleInit posts the installer's clientId to api.telegram.org chat_id -1001801844217 (dist/utils/logbots.js line 24), with subsequent unauthorized-attempt logs sent to the same author channel by default. The combined effect: every installer that imports AppModule grants the author persistent remote access, code-execution capability, MTProto traffic interception, and a silent-relay exfiltration channel.
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
{
"malicious-packages-origins": [
{
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "SEMVER"
}
],
"source": "amazon-inspector",
"import_time": "2026-05-12T07:28:57.937817916Z",
"sha256": "b90ad93b19ce09a090f9837117fe06f9a4b7b15a8268160182e9d671f0f19b65",
"modified_time": "2026-05-12T06:53:21Z"
},
{
"sha256": "cabb88eaa75d4e2a841ec661c545d4d4796871fc3da8e39da527bfa0a33b74a7",
"id": "IN-MAL-2026-006138",
"source": "amazon-inspector",
"import_time": "2026-06-12T19:44:12.322610047Z",
"modified_time": "2026-06-12T19:09:48Z",
"versions": [
"1.3.221"
]
},
{
"modified_time": "2026-06-15T19:49:45Z",
"id": "IN-MAL-2026-006685",
"source": "amazon-inspector",
"import_time": "2026-06-15T20:14:27.612881018Z",
"sha256": "7cd3b6dd4751c7296aa980af903101344ab538b1a9ead17da5699ab21bcfdfdb",
"versions": [
"1.3.226"
]
},
{
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"id": "GHSA-wvhv-cgwm-v2hv",
"source": "ghsa-malware",
"import_time": "2026-07-08T16:48:24.192884122Z",
"sha256": "3e16628ad8dc1e6a6c98044a97ae5b72aec56f8a5a5bbc5bdff50bdaf51d978e",
"modified_time": "2026-07-08T16:09:53Z"
},
{
"sha256": "c85f345f7208547f4f43331b339412172ad80caee29352b3ea4aa5c939cdac83",
"id": "IN-MAL-2026-008479",
"source": "amazon-inspector",
"import_time": "2026-07-08T20:32:34.102491874Z",
"modified_time": "2026-07-08T20:16:44Z",
"versions": [
"1.3.238"
]
},
{
"sha256": "cb71c95df9d76c248d6e1465348d7d089a9d76c93d47367835a9ec5c80a9b5db",
"id": "IN-MAL-2026-008365",
"source": "amazon-inspector",
"import_time": "2026-07-08T20:32:19.3232289Z",
"modified_time": "2026-07-08T19:59:38Z",
"versions": [
"1.3.234"
]
},
{
"modified_time": "2026-07-08T20:16:25Z",
"id": "IN-MAL-2026-008477",
"source": "amazon-inspector",
"import_time": "2026-07-08T20:32:33.871682683Z",
"sha256": "ff18ab4c9d0c5460093f5754b91e97bc6a0f03fec98dc31f05468c75fefcad4b",
"versions": [
"1.3.225"
]
},
{
"modified_time": "2026-07-08T20:16:35Z",
"id": "IN-MAL-2026-008478",
"source": "amazon-inspector",
"import_time": "2026-07-08T20:32:33.995410061Z",
"sha256": "1629ced644e954e39f32243ede3a8285eafc20d0640ef4eb683fc87f056d1d52",
"versions": [
"1.3.236"
]
},
{
"sha256": "6b34b2ef550f0af9ef9a8a9d26f366fdf362e40323378494c895a6924d0a5d21",
"id": "IN-MAL-2026-008366",
"source": "amazon-inspector",
"import_time": "2026-07-08T20:32:19.486744837Z",
"modified_time": "2026-07-08T19:59:48Z",
"versions": [
"1.3.231"
]
},
{
"sha256": "6e56df6810a3410e315495b78d7e102e8983650217eafaeb4f9ab926b5a8c75c",
"id": "IN-MAL-2026-008476",
"source": "amazon-inspector",
"import_time": "2026-07-08T20:32:33.768945115Z",
"modified_time": "2026-07-08T20:16:15Z",
"versions": [
"1.3.227"
]
},
{
"modified_time": "2026-07-08T20:32:50Z",
"id": "IN-MAL-2026-008589",
"source": "amazon-inspector",
"import_time": "2026-07-08T21:27:48.813974325Z",
"sha256": "5a549fbfd512c863cdf93bc602bc01fda9bdf7b730e8cd6253ce6c24a8acb056",
"versions": [
"1.3.223"
]
},
{
"sha256": "f714d8b7c30052980ce58752b96ce39ba7b42b6839c1ab693c3de41a698f49e9",
"id": "IN-MAL-2026-008591",
"source": "amazon-inspector",
"import_time": "2026-07-08T21:27:48.950561131Z",
"modified_time": "2026-07-08T20:33:09Z",
"versions": [
"1.3.224"
]
},
{
"sha256": "ad2533c7e094af2e17e40ef8b7e48ca619de991111618c094340ef67a8b68dc6",
"id": "IN-MAL-2026-008961",
"source": "amazon-inspector",
"import_time": "2026-07-08T23:27:55.86355445Z",
"modified_time": "2026-07-08T22:58:37Z",
"versions": [
"1.3.229"
]
},
{
"modified_time": "2026-07-08T23:05:00Z",
"id": "IN-MAL-2026-009006",
"source": "amazon-inspector",
"import_time": "2026-07-08T23:27:58.821162169Z",
"sha256": "6d4f3d2050ce23d25389449cc57d06e2e090679c70b82ce50179c8c2d71e991e",
"versions": [
"1.3.222"
]
}
]
}{
"evidence_files": [
{
"path": "dist/utils/logbots.js",
"tlsh": "b8319d4825fb6476835248955fdfc0b4792275133e8dec34b56cd3c24f41ab652e3e84",
"sha256": "362c140115aa0192f39e33d94ba39345e144aae3f865d0b5e68ac57a14d8b3d3"
},
{
"path": "dist/utils/fetchWithTimeout.js",
"tlsh": "4e32725a2bf3552701e320a8922f64123633a9071a19fd507b5c97117f8859ceef3bd9",
"sha256": "ab846b4523706a54989794d987a57d82076372ff2ae1363b8b3d849897c1831f"
},
{
"path": "dist/cloudinary.js",
"tlsh": "9ff1a5870af79533907771ae1b2f1402b522c907252ced18bb8ca365afe1590ecd1ee8",
"sha256": "421e14a820d21d8edf7e2f70d33fed4188f2fb2d9d5774b9d4434280703cd676"
},
{
"path": "dist/guards/auth.guard.js",
"tlsh": "be1242da21f77560c32291ad8f0b6206b124e457380dedb57eac51d5afc9168c3f2aa8",
"sha256": "c551806048a3c62f8207520667f12985cf7af79ff896e5d36a5fe4aa63b4e86d"
}
],
"package_integrity": [
{
"filename": "common-tg-service-1.3.221.tgz",
"hashes": {
"sha1": "5ff1aaa669b821427383b1720a26fb422d5ce193",
"sha512_sri": "sha512-UkEwv8LgmRkUUhboUOc0QeqR6adrrdODEhlQdMsyISvLSe/KtlFhO6GF301ioTwSGX0rCREl3Q+pqB4L5jRIRg=="
}
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/common-tg-service/MAL-2026-3288.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
}
]